MFA Examples

The following are valid phone numbers to be used with SMS authentication:

• +4701234567

• +34012345678

• +10123456789

The following are NOT valid phone numbers to be used with SMS authentication:

• 004701234567 (it uses the 00 prefix instead of +)

• 4701234567 (it does not use the international prefix +)

• +470123456 (the number has incorrect length)

• +47 01 23 45 67 (it contains spaces)

• +1-012-345-6789 (it contains dashes)

The following are valid secrets to be used with the Authenticator method:

• ABCDEFGHIJ234567

• MKMPIDBZ2UOUSCTZ

• ABCDEFGHIJKLMNOP

• 2345672345672345

The following are NOT valid secrets to be used with the Authenticator method:

• abcdefghijklmnop (it uses lowercase characters)

• 0123456789012345 (it uses numbers other than those from 2 to 7)

• 0123456789 (it uses invalid numbers and is shorter than 16)

• 234567ABC (it uses valid characters and numbers but is shorter than 16).

• ABCDEFGHIJKLMNOPQRSTUVWXYZ (it uses valid characters but is longer than 16)

• ABC +=1234567DEF (it uses invalid symbols)

The following are valid values for the norEduPersonServiceAuthnLevel attribute. Please note that line feeds are used for display purposes and should be disregarded:

• urn:mace:feide.no:spid:all urn:mace:feide.no:auth:level:fad08:3 (enable multifactor authentication for all services)

• urn:mace:feide.no:spid:123 urn:mace:feide.no:auth:level:fad08:3 (enable multifactor authentication for the service with Service ID number 123)

The following are valid values for the norEduPersonAuthnMethod attribute. Please note that line feeds are used for display purposes and should be disregarded.

• For a device labeled “Mobile”

  urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZW
  5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdDG
  JBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZx
  12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e9
  5uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjwx
  HWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRuo
  YhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g.
  LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZthk
  aM9w.MWE29ywstyWKCrCUttUYZg label=Mobile
  

• For a device labeled “My mobile phone”

  urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZW
  5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdDG
  JBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZx
  12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e9
  5uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjwx
  HWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRuo
  YhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g.
  LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZthk
  aM9w.MWE29ywstyWKCrCUttUYZg label=My%20mobile%20phone
  

• For a device labeled “% = %”

  urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZ
  W5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdD
  GJBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZ
  x12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e
  95uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjw
  xHWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRu
  oYhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g
  .LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZth
  kaM9w.MWE29ywstyWKCrCUttUYZg label=%25%20%3D%20%25
  

The following are NOT valid values for the norEduPersonAuthnMethod attribute. Please note that line feeds are used for display purposes and should be disregarded.

• The method identifier URN does not correspond with Feide’s Authenticator method

  urn:mace:feide.no:auth:method:authenticator eyJhbGciOiAiUlNBLU9
  BRVAiLCAiZW5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLy
  vP5KNnqEdDGJBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtV
  SjlkhK7CVZx12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquh
  P1mTfFv76e95uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3B
  F1krNBXQjwxHWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXV
  SOEn3JKiRuoYhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5
  NSWNBE0x3g.LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC
  5EnKyyYZthkaM9w.MWE29ywstyWKCrCUttUYZg label=Mobile
  

• The encrypted secret is not a valid secret

  urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZW
  5jIjogIkExMjhDQkMtSFMyNTYifQ..MWE29ywstyWKCrCUttUYZg label=Mobile
  

• The Authenticator secret is not encrypted

  urn:mace:feide.no:auth:method:ga ABCDEFGHIJ234567 label=Mobile
  

• The encrypted secret contains equal signs that are not percent encoded

  urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZ
  W5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdD
  GJBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZ
  x12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e
  95uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjw
  xHWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRu
  oYhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g
  .LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZth
  kaM9w.MWE29ywstyWKCrCUttUYZg=== label=Mobile
  

• The label contains spaces and percent signs that are not percent encoded

  urn:mace:feide.no:auth:method:ga eyJhbGciOiAiUlNBLU9BRVAiLCAiZ
  W5jIjogIkExMjhDQkMtSFMyNTYifQ.X7IU3zolmVtGzXxfKIxJLyvP5KNnqEdD
  GJBQNx8Y8VwvvdoeGjTiiU0V5OJKykylEhUITVTQ1l5snlBndVtVSjlkhK7CVZ
  x12OUcferIIC90tBg-GJRbom-RWVIYbXdB1jcUwMaUPZB49yoquhP1mTfFv76e
  95uize124XfyowcrM6dnPWhSSuPgDzp3_oA8e5Z6U1qzm-mDHe3BF1krNBXQjw
  xHWY4lC1zd7wbIGhBcngqmK8-ebRyDelMUpbOSgADWiQxdTeEkXVSOEn3JKiRu
  oYhggePNWM1rGnarooUktnuxdK6pggRSIAPkzM-ghJEDPtuk5gc5NSWNBE0x3g
  .LgmSqnSduW8WnpUjPfF4Gg.In2Wd2AU-6OMRxFily8EbKtmG4gC5EnKyyYZth
  kaM9w.MWE29ywstyWKCrCUttUYZg label=My mobile %phone
  

The following is a valid QR code to configure an Authenticator instance with the label My device and the secret ABCDEFGHIJ234567: